[Bro] Bro load with no traffic

Azoff, Justin S jazoff at illinois.edu
Fri Oct 19 12:18:41 PDT 2018


If you are on 2.5.x and not master, this should still work:

http://mailman.icsi.berkeley.edu/pipermail/bro/2016-November/011010.html

I wouldn't bother using it on a production system though.

— 
Justin Azoff

> On Oct 19, 2018, at 3:13 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> Thanks Jon, makes sense now.
> I will see if we would want to deep dive into finding out what exactly causing the load. :)
> 
> Fatema.
> 
> On Thu, Oct 18, 2018 at 6:26 PM Jon Siwek <jsiwek at corelight.com> wrote:
> On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala
> <fatema.bannatwala at gmail.com> wrote:
> >
> > Does anyone know why Bro would be using resources when no traffic flowing to the sensor?
> 
> Currently, Bro's main loop never completely idles in absence of input,
> so something on the order of 5% cpu usage in absence of network
> traffic might still be "normal".  Also note that that packets aren't
> the only input source.  As an example, if you shut off traffic
> suddenly, but had a large backlog of Broker messages or continues to
> send/recv remote messages, that could be processing resources that Bro
> continues to use for some time.  The event engine also continues on
> with any scheduled events, etc.
> 
> So not particularly unexpected to hear there's some load in absence of
> packets, but hard to say specifically what causes the load in this
> case -- you may need to profile/trace if you're really interested.
> 
> - Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list